CVE-2018-1000840

{"id": "CVE-2018-1000840", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-12-20T15:29:01.877", "references": [{"url": "https://github.com/processing/processing/issues/5706", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/ben_fry/status/1054333613465059329", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/processing/processing/issues/5706", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://twitter.com/ben_fry/status/1054333613465059329", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document."}, {"lang": "es", "value": "Processing Foundation Processing, en versiones 3.4 y anteriores, contiene una vulnerabilidad XEE (XML External Entity) en la funci\u00f3n loadXML() que puede resultar en que un atacante pueda leer archivos arbitrarios y exfiltrar su contenido mediante peticiones HTTP. El ataque parece ser explotable si una v\u00edctima emplea Processing para analizar un documento XML manipulado."}], "lastModified": "2024-11-21T03:40:28.263", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:processing:processing:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA162E67-6660-4DE7-A8D6-E049B91C5C4D", "versionEndIncluding": "3.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}